Modify attribute properties in Active Directory

October 5, 2009

Long long ago, I did an active directory configuration with minor tweaking ( yet not widely documented ) for converting a single-valued attribute to multi-valued attribute. And automated couple of testcases for adding multiple values to an attribute using ldap eway and was living happily till last week.

Last week was when one of those unfortunate event had happened ie. the automated tests were failing and with the few minutes of investigation revealed I need to redo the ADS setup in a different m/c due to multiple reasons. 

Everything went cool, duplicating the domain data, SSL configuration till I tried to add multiple values to the attribute and only to see the below error in the ldap client,

the attribute cannot be modified because its owned by the system

 I searched my documents in vain for the tiny-secret-formulae which helped me long back. I was struggling, googling, bing(l)ing for hours and desperately installing few third-party tools hoping it would do the job, finally I stumbled on it,

Down here the steps to convert single-valued attribute to multi-valued attribute,

  1. Login as a member of Schema Admins
  2. Launch LDP.EXE
  3. Connect to the Schema Master using LDP.EXE
  4. Bind to the Schema Master using an account with Schema Admin permissions.
  5. From the Browse menu, choose Modify
  6. In the Modify dialog box, leave the DN field blank, and type schemaUpgradeInProgress in the Attribute field. In the Value field, enter the number 1. Click the Enter button, then click the Run button.
  7. Close the Modify dialog box.
  8. Launch ADSIEDIT.MSC and goto the properties of the attribute here its ‘sn’
  9. Check for the property name ‘isSingleValued’ and change the value to False. Click on Apply and close the property window.
  10. Run LDP again, and change the value of schemaUpgradeInProgress from 1 to 0.
  11. From the Active Directory Schema console, right click on the console and choose "Reload the Schema"
Check with your favorite ldap client adding multiple values for the same attribute.